We present a declarative authorization language that strikes

a careful balance between syntactic and semantic simplicity,

policy expressiveness, and execution efficiency. The syntax

is close to natural language, and the semantics consists

of just three deduction rules. The language can express

many common policy idioms using constraints, controlled

delegation, recursive predicates, and negated queries. We

describe an execution strategy based on translation to Datalog

with Constraints, and table-based resolution. We show

that this execution strategy is sound, complete, and always

terminates, despite recursion and negation, as long as simple

syntactic conditions are met.

PDF file

In: 20th IEEE Computer Security Foundations Symposium (CSF)

Details